We have a third party cybersecurity platform that constantly scans all our domains for vulnerabilities, my Discourse server (running 2.9.0.beta7) hosted on DigitalOcean is flagging the following NVTs and CVE’s. All of the CVE’s are related to nginx. Have I missed a process somewhere to update nginx? Appreciate any assistance.
So we have limited support for the 1-click install. That comes from DigitalOcean, we have no control over it. Despite DigitalOcean saying “Supported By: DigitalOcean”, the Support URL sends folks here, where DO staff are not.
Anyway, first thing I would try, to rule out a weird base image scenario, is to SSH into your droplet, and run the following:
cd /var/discourse
git pull
sudo ./launcher rebuild app
That last command will ensure you have the latest base image, as well as latest Discourse code. Warning, it will take your site down while running.
I am not personally familiar with NVTs. And Google isn’t exactly giving promising results, see NVT A-105925 - Google Search for example. Best I’m getting is results on securityspace.com, a site that, strangely enough, doesn’t use SSL/TLS itself and looks like it was built in the 90s.
Does your third-party cybersecurity platform provide more details on the 3 NVTs besides titles?